Oct. 11, 2019
Boeing and F.A.A. Faulted in Damning Report on 737 Max Certification
By David Gelles and Natalie Kitroeff
Boeing failed to adequately explain to regulators a new automated system that contributed to two crashes [1] of the 737 Max, and the Federal Aviation Administration lacked the capability to effectively analyze much of what Boeing [2] did share about the new plane.
Those are among the findings in a damning report released on Friday by a multiagency task force that the F.A.A. [3] convened to scrutinize the Max's certification process after the second plane crashed in March.
The review scrutinized the F.A.A.'s certification of the Max's flight control system, [4] including the new automated system, MCAS, that played a role in both crashes, in Indonesia last October and in Ethiopia in March.
In each crash, pilots struggled [5] as a single damaged sensor sent the plane into an irrecoverable nose-dive within minutes of takeoff. A total of 346 people were killed in the crashes, which prompted regulators around the world to ground the Max. [6]
The report found that while the F.A.A. had been made aware of MCAS, "the information and discussions about MCAS were so fragmented and were delivered to disconnected groups" that it "was difficult to recognize the impacts and implications of this system."
The task force said it believed that if F.A.A. technical staff had been fully aware of the details of MCAS, the agency would probably have required additional scrutiny of the system that might have identified its flaws.
Boeing is now updating the system [7] to make it less powerful, and it says it will install a modified version when the Max, [8] which is still grounded, returns to service.
The F.A.A.'s administrator, Steve Dickson, said in a statement that he would "review every recommendation and take appropriate action."
"We welcome this scrutiny and are confident that our openness to these efforts will further bolster aviation safety worldwide," he added.
In a statement, the Boeing spokesman Gordon Johndroe said "safety is a core value for everyone at Boeing," and that the company "is committed to working with the F.A.A. in reviewing the recommendations and helping to continuously improve the process and approach used to validate and certify airplanes going forward."
A broad theme of the report is that the F.A.A. was too focused on the specifics of the new system and did not put sufficient effort into understanding its overall impact on the plane. In certification documents that Boeing submitted to the F.A.A., MCAS was not evaluated as "a complete and integrated function" on the new plane.
The report also said Boeing had failed to inform the F.A.A. as the design of MCAS changed during the plane's development. A New York Times investigation revealed that the system changed dramatically [9] during that process, making MCAS riskier and more powerful, and that key F.A.A. officials were unaware of major changes to the system.
The task force said the certification documents that Boeing provided to the F.A.A. "were not updated during the certification program to reflect the changes" made to MCAS. It added that two critical documents that describe the potential dangers of a system like MCAS, the system safety assessment and the functional hazard assessment, "were not consistently updated."
Boeing also failed to thoroughly stress-test the design of MCAS, according to the report, which found that "the design assumptions were not adequately reviewed, updated or validated."
In addition, the report criticized Boeing for not adequately assessing the extra effort pilots might have to make to deal with MCAS, and it noted that Boeing had removed mention of MCAS from a draft of the pilot's manual. As a result of that decision, some key F.A.A. officials were not fully aware of MCAS and were "not in a position to adequately assess training needs," the report found.
To address some of these shortcomings, the report recommends that the F.A.A. update the certification process to allow the agency to be more involved in the design process early on.
The Max [10] was certified in 2017 as the latest version of the 737 family. Because it was based on a well-known design, the F.A.A. allowed it to undergo a less thorough certification process than if it were an entirely new plane.
"Some elements of the design and certification remain rooted in the original 1967 certification of the B737-100," the review found. But while some modern safety tools have been incorporated into new versions of the 737, others were not included in the Max because they were deemed "impractical," the review found.
Overall, the report found fault with the process for certifying a new plane based on an old design, saying that it "lacks an adequate assessment of how proposed design changes integrate with existing systems."
It recommended that the F.A.A. confirm that the Max is in fact compliant with regulations having to do with the plane's flight guidance system, flight manual and stall demonstration.
Those recommendations, which could affect whether the plane is allowed back into service, have already been addressed by the F.A.A., according to a person familiar with the process. The effort to address those issues has contributed to the prolonged grounding of the Max.
The Joint Authorities Technical Review, which produced the report, was led by Chris Hart, a former chairman of the National Transportation Safety Board, and included representatives from the F.A.A., NASA and aviation regulators from Europe, China, Brazil and other countries.
To conduct the review, Mr. Hart and his team were briefed by F.A.A. officials and Boeing executives, and they scrutinized extensive documentation on the certification of the Max.
In both of the flights that crashed, the pilots had a hard time identifying the cause of the problems and were unable to bring the planes under control.
The review found that the F.A.A. certification process had failed to adequately consider "pilot recognition time and pilot reaction time to failures." In particular, the review suggested that the F.A.A. question Boeing's assumption that pilots could react to a malfunction similar to the one caused by MCAS in just four seconds.
One source of the problems with the certification of the Max was the F.A.A. office in Seattle [11] that oversees Boeing, according to the report. It found that the Boeing office had "limited experience and knowledge of key technical aspects" of the Max.
In the end, the F.A.A. was simply unable to effectively assess MCAS, the review found.
"The F.A.A. had inadequate awareness of the MCAS function," which meant that the agency could not adequately assess Boeing's certification of the system, the report found.
The review also said there were signs that Boeing employees who worked on behalf of the F.A.A. to certify the Max had at times faced conflicts of interest. It recommended that the F.A.A. review staffing levels at its Boeing office in Seattle, as well as reviewing the Boeing office that allows company employees to perform certification work.
[1] https://www.nytimes.com/2019/08/07/business/boeing-737-max-faa-recertification-stumo.html
[2] https://www.nytimes.com/2019/03/23/business/boeing-737-max-crash.html
[3] https://www.nytimes.com/2019/04/11/business/boeing-faa-mcas.html
[4] https://www.nytimes.com/2019/10/02/business/boeing-737-max-crashes.html
[5] https://www.nytimes.com/2019/03/16/business/boeing-max-flight-simulator-ethiopia-lion-air.html
[6] https://www.nytimes.com/2019/05/23/business/boeing-737-max-faa-regulation.html
[7] https://www.nytimes.com/2019/04/01/business/boeing-737-max-software-fix.html
[8] https://www.nytimes.com/2019/03/21/business/boeing-safety-features-charge.html
[9] https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html
[10] https://www.nytimes.com/2019/04/08/business/boeing-737-max-.html
[11] https://www.nytimes.com/2019/07/27/business/boeing-737-max-faa.html